vundo problems

Started by trouble, March 02, 2008, 05:23:20 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2 3 4
User actions

trouble

#15
March 10, 2008, 04:22:31 AM
I have a ton of temp files on one of my directories that makes the file huge.  I will try and split it up in a couple of files and see if it works.

Sorry for the hassle.
1st half


[attachment deleted by admin]

trouble

#16
March 10, 2008, 04:29:13 AM
2nd part

[attachment deleted by admin]

trouble

#17
March 10, 2008, 04:33:03 AM
3rd part.  I obviously have a ton of temp files that were created on one of the directories.  Sorry for the hassle of this huge file.

[attachment deleted by admin]

trouble

#18
March 10, 2008, 04:36:41 AM
Here is a fresh Hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:17 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareStop] C:\Program Files\SpywareStop\SpywareStop.exe -boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: 
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 10600 bytes

I cannot find the combofix log.  Can I rerun the last process and then post it?

Clark76

#19
March 10, 2008, 11:21:06 AM
Look for the Combofix log here:
C:\ComboFix.txt
Proud Member of ASAP
Proud Member of UNITE

trouble

#20
March 10, 2008, 12:57:45 PM
Thank you!  Combofix log:

ComboFix 08-03-04.2 - Mark Neary 2008-03-09 10:17:48.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.229 [GMT -7:00]
Running from: C:\Documents and Settings\Mark Neary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Neary\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\tmp.reg
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\tmp.reg

.
(((((((((((((((((((((((((   Files Created from 2008-02-09 to 2008-03-09  )))))))))))))))))))))))))))))))
.

2008-03-03 00:16 . 2008-03-03 00:16   <DIR>   d--------   C:\Documents and Settings\Mark Neary\Application Data\Talkback
2008-03-03 00:15 . 2008-03-03 00:15   <DIR>   d--------   C:\Program Files\Common Files\xing shared
2008-03-03 00:15 . 2008-03-03 00:15   0   --a------   C:\WINDOWS\nsreg.dat
2008-03-02 23:58 . 2007-09-25 00:31   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-03-02 23:57 . 2008-03-02 23:57   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-03-02 08:58 . 2008-03-02 08:58   <DIR>   d--------   C:\Program Files\Trend Micro
2008-02-27 22:58 . 2008-03-03 21:31   <DIR>   d--------   C:\Documents and Settings\Mark Neary\Application Data\SpywareStop
2008-02-27 21:52 . 2008-02-27 21:52   <DIR>   d--------   C:\VundoFix Backups
2008-02-27 21:27 . 2008-02-28 16:32   <DIR>   d--------   C:\WINDOWS\LMI38.tmp
2008-02-14 18:22 . 2008-02-14 18:22   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Dell

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 08:00   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-03-08 06:54   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-03-08 06:54   ---------   d-----w   C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-08 06:43   ---------   d-----w   C:\Program Files\TurboTax
2008-03-05 02:40   3,350   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-04 13:47   ---------   d-----w   C:\Program Files\ErrorKiller
2008-03-04 04:31   ---------   d-----w   C:\Documents and Settings\Mark Neary\Application Data\ErrorKiller
2008-03-03 07:15   ---------   d-----w   C:\Program Files\Real
2008-03-03 07:14   348,160   ----a-w   C:\WINDOWS\system32\msvcr71.dll
2008-03-03 07:14   ---------   d-----w   C:\Program Files\Common Files\Real
2008-03-03 06:58   ---------   d-----w   C:\Program Files\Java
2008-02-28 02:44   ---------   d-----w   C:\Documents and Settings\Mark Neary\Application Data\SpywareBot
2008-02-26 05:09   ---------   d-----w   C:\Program Files\McAfee
2008-02-25 19:13   ---------   d-----w   C:\Documents and Settings\Michelle Neary\Application Data\ErrorKiller
2008-02-06 17:51   171,400   ----a-w   C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-04 04:54   53,312   ----a-w   C:\WINDOWS\system32\eemtogwl.exe
2008-02-02 12:50   96,832   ----a-w   C:\WINDOWS\system32\tdpeilfj.dll
2008-02-02 12:47   53,312   ----a-w   C:\WINDOWS\system32\pojdacuo.exe
2008-02-01 00:45   53,312   ----a-w   C:\WINDOWS\system32\nmaflglt.exe
2008-01-30 04:56   ---------   d-----w   C:\Program Files\Dell Games
2008-01-30 04:55   ---------   d-----w   C:\Program Files\Eusing Free Registry Cleaner
2008-01-30 04:54   ---------   d-----w   C:\Program Files\Dell
2008-01-30 00:44   53,312   ----a-w   C:\WINDOWS\system32\eumfuoxo.exe
2008-01-28 05:03   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-01-28 00:37   53,312   ----a-w   C:\WINDOWS\system32\serofpnb.exe
2008-01-27 00:37   53,312   ----a-w   C:\WINDOWS\system32\ivhsagsw.exe
2008-01-26 00:41   53,312   ----a-w   C:\WINDOWS\system32\vkulckho.exe
2008-01-25 00:40   53,312   ----a-w   C:\WINDOWS\system32\wpqjbvfr.exe
2008-01-23 21:07   53,312   ----a-w   C:\WINDOWS\system32\ywtlxppy.exe
2008-01-22 21:07   53,312   ----a-w   C:\WINDOWS\system32\ualfebar.exe
2008-01-14 16:32   ---------   d-----w   C:\Program Files\Lavasoft
2008-01-14 16:32   ---------   d-----w   C:\Documents and Settings\Mark Neary\Application Data\Lavasoft
2008-01-14 16:30   ---------   d-----w   C:\Program Files\PopupRadar
2008-01-13 17:58   ---------   d-----w   C:\Documents and Settings\Michelle Neary\Application Data\SpywareBot
2008-01-11 05:53   44,544   ----a-w   C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01   347,136   ----a-w   C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51   179,584   ------w   C:\WINDOWS\system32\dllcache\mrxdav.sys
2006-11-07 01:54   774,144   ----a-w   C:\Program Files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-01 18:48 68856]
"SpywareStop"="C:\Program Files\SpywareStop\SpywareStop.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 06:56 139264]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19 53248]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 15:34 106496]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-03 00:14 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 23:36:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-24 00:34:53 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-04 11:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 10:20:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 10:20:52
ComboFix-quarantined-files.txt  2008-03-09 17:20:50
ComboFix2.txt  2008-03-08 05:50:24
ComboFix3.txt  2008-03-06 06:30:12
.
2007-12-13 07:23:01   --- E O F --- 

Corrine

#21
March 11, 2008, 01:46:13 AM
Believe it or not, the Kaspersky log isn't as bad as it looks.  However, I'm seeing something in the ComboFix log that I want to investigate further and consult with the other members of the team.  So, in the meantime, please do the following:

Please change your settings to show hidden files.  You can change the setting back when the cleanup is completed.

       
  • Click Start.
       
  • Open My Computer.
       
  • Select the Tools menu and click Folder Options.
       
  • Select the View Tab.
       
  • Under the Hidden files and folders heading select Show hidden files and folders.
       
  • Uncheck the Hide protected operating system files (recommended) option.
       
  • Click Yes to confirm.
       
  • Click OK.
Please download ATF Cleaner by Atribune from http://www.atribune.org/content/view/25/2/ .  Save it to your Desktop.

Restart your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe Mode.
  • Login on your usual account.
Locate and remove the following:

C:\Program Files\ErrorKiller
C:\My Music\Spywarestop_setupxv.exe
C:\Documents and Settings\Mark Neary\Application Data\ErrorKiller
C:\Documents and Settings\Mark Neary\Application Data\SpywareBot
C:\Documents and Settings\Michelle Neary\Application Data\ErrorKiller
C:\Documents and Settings\Michelle Neary\Application Data\SpywareBot
C:\Documents and Settings\Mark Neary\Application Data\Sun\Java\Deployment\cache\6.0\20\5312bcd4-5a82d998
C:\Documents and Settings\Mark Neary\Application Data\Sun\Java\Deployment\cache\6.0\58\44eef97a-42a9216c

Now run ATF Cleaner:

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
  • Click Exit on the Main menu to close the program.
  • Shutdown/restart the computer.
Please repeat the process on the other account on the computer.  Let me know if you were unable to remove any of the files.





Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

trouble

#22
March 11, 2008, 04:59:19 AM
Ok I deleted all of the files and then ran the ATF cleaner on each of the accounts.  It seemed to clean everything off.   I ran it each time in safe mode.  There was a lot of stuff out there.

Corrine

#23
March 11, 2008, 04:36:27 PM
Good job!

Before I post the next set of instructions, please advise as to whether your McAfee subscription is current and also if you intentionally turned off the Security Center monitoring of antivirus/firewall.   


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

trouble

#24
March 12, 2008, 03:56:21 AM
My McAfee is up to date.  In fact I think it updates on a daily basis through comcast.  I intentionally shut off all of the McAfee things when I was running the programs as instructed.  As soon as they were done I restored the settings.  When I look at the McAfee security center now it tells me that I am protected and that my firewall is on.  So when I was running the combofix log all of the McAfee programs were disabled.  Hopefully that is what I was supposed to do.  :)

Corrine

#25
March 13, 2008, 12:48:47 AM
Thanks for that information.  It makes a difference in what I hope will be the last go-through with ComboFix for you. 

       
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code Select

File::
C:\WINDOWS\system32\eemtogwl.exe
C:\WINDOWS\system32\tdpeilfj.dll
C:\WINDOWS\system32\pojdacuo.exe
C:\WINDOWS\system32\nmaflglt.exe
C:\WINDOWS\system32\eumfuoxo.exe
C:\WINDOWS\system32\serofpnb.exe
C:\WINDOWS\system32\ivhsagsw.exe
C:\WINDOWS\system32\vkulckho.exe
C:\WINDOWS\system32\wpqjbvfr.exe
C:\WINDOWS\system32\ywtlxppy.exe
C:\WINDOWS\system32\ualfebar.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

       
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


         


       
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
       
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
       
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

TotalScan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> TotalScan << LINK

  • Under Scan Now click the Full Scan button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply along with the ComboFix log and a yet another HijackThis log.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

trouble

#26
March 13, 2008, 05:15:22 AM
I must be tired.  I forgot to shut off McAfee and so when the license agreement for combo fix came up I clicked no and now combofix is gone.  Do I have to start over or can I download combofix again and just go from there?  Sorry about the mistake.

trouble

#27
March 13, 2008, 02:25:37 PM
Well I mustered up some courage and just redownloaded combo fix, starting where I left off.  This time I actually disabled McAfee like I was supposed to the first time.  The total scan is a little scary, appearently I am still infected.  See attached.

combo fix log

ComboFix 08-03-10.1 - Mark Neary 2008-03-13  5:03:44.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.255 [GMT -7:00]
Running from: C:\Documents and Settings\Mark Neary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Neary\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\eemtogwl.exe
C:\WINDOWS\system32\eumfuoxo.exe
C:\WINDOWS\system32\ivhsagsw.exe
C:\WINDOWS\system32\nmaflglt.exe
C:\WINDOWS\system32\pojdacuo.exe
C:\WINDOWS\system32\serofpnb.exe
C:\WINDOWS\system32\tdpeilfj.dll
C:\WINDOWS\system32\ualfebar.exe
C:\WINDOWS\system32\vkulckho.exe
C:\WINDOWS\system32\wpqjbvfr.exe
C:\WINDOWS\system32\ywtlxppy.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\eemtogwl.exe
C:\WINDOWS\system32\eumfuoxo.exe
C:\WINDOWS\system32\ivhsagsw.exe
C:\WINDOWS\system32\nmaflglt.exe
C:\WINDOWS\system32\pojdacuo.exe
C:\WINDOWS\system32\serofpnb.exe
C:\WINDOWS\system32\tdpeilfj.dll
C:\WINDOWS\system32\ualfebar.exe
C:\WINDOWS\system32\vkulckho.exe
C:\WINDOWS\system32\wpqjbvfr.exe
C:\WINDOWS\system32\ywtlxppy.exe

.
(((((((((((((((((((((((((   Files Created from 2008-02-13 to 2008-03-13  )))))))))))))))))))))))))))))))
.

2008-03-09 10:32 . 2008-03-09 10:32   <DIR>   d--------   C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 10:32 . 2008-03-09 10:32   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 00:16 . 2008-03-03 00:16   <DIR>   d--------   C:\Documents and Settings\Mark Neary\Application Data\Talkback
2008-03-03 00:15 . 2008-03-03 00:15   <DIR>   d--------   C:\Program Files\Common Files\xing shared
2008-03-03 00:15 . 2008-03-03 00:15   0   --a------   C:\WINDOWS\nsreg.dat
2008-03-02 23:58 . 2008-02-22 02:33   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-03-02 23:57 . 2008-03-02 23:57   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-03-02 08:58 . 2008-03-02 08:58   <DIR>   d--------   C:\Program Files\Trend Micro
2008-02-27 22:58 . 2008-03-03 21:31   <DIR>   d--------   C:\Documents and Settings\Mark Neary\Application Data\SpywareStop
2008-02-27 21:52 . 2008-02-27 21:52   <DIR>   d--------   C:\VundoFix Backups
2008-02-27 21:27 . 2008-02-28 16:32   <DIR>   d--------   C:\WINDOWS\LMI38.tmp
2008-02-14 18:22 . 2008-02-14 18:22   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Dell

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 13:34   ---------   d-----w   C:\Program Files\Java
2008-03-08 08:00   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-03-08 06:54   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-03-08 06:54   ---------   d-----w   C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-08 06:43   ---------   d-----w   C:\Program Files\TurboTax
2008-03-05 02:40   3,350   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-03 07:15   ---------   d-----w   C:\Program Files\Real
2008-03-03 07:14   348,160   ----a-w   C:\WINDOWS\system32\msvcr71.dll
2008-03-03 07:14   ---------   d-----w   C:\Program Files\Common Files\Real
2008-02-26 05:09   ---------   d-----w   C:\Program Files\McAfee
2008-02-06 17:51   171,400   ----a-w   C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-30 04:56   ---------   d-----w   C:\Program Files\Dell Games
2008-01-30 04:55   ---------   d-----w   C:\Program Files\Eusing Free Registry Cleaner
2008-01-30 04:54   ---------   d-----w   C:\Program Files\Dell
2008-01-28 05:03   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-01-14 16:32   ---------   d-----w   C:\Program Files\Lavasoft
2008-01-14 16:32   ---------   d-----w   C:\Documents and Settings\Mark Neary\Application Data\Lavasoft
2008-01-14 16:30   ---------   d-----w   C:\Program Files\PopupRadar
2008-01-11 05:53   44,544   ----a-w   C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01   347,136   ----a-w   C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51   179,584   ------w   C:\WINDOWS\system32\dllcache\mrxdav.sys
2006-11-07 01:54   774,144   ----a-w   C:\Program Files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-01 18:48 68856]
"SpywareStop"="C:\Program Files\SpywareStop\SpywareStop.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 06:56 139264]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 15:34 106496]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-03 00:14 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 22:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-24 00:34:53 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-10 10:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 05:06:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-13  5:06:56
ComboFix-quarantined-files.txt  2008-03-13 12:06:54
ComboFix2.txt  2008-03-09 17:20:53
ComboFix3.txt  2008-03-08 05:50:24
ComboFix4.txt  2008-03-06 06:30:12
.
2008-03-12 13:41:07   --- E O F --- 


hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:15 AM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareStop] C:\Program Files\SpywareStop\SpywareStop.exe -boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 10398 bytes


And for the scary part here is the total scan log:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-03-13 06:19:47
PROTECTIONS: 1
MALWARE: 47
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description                                  Version                       Active    Updated
;===================================================================================================================================================================================
McAfee VirusScan                                                           Yes       Yes
;===================================================================================================================================================================================
MALWARE
Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location
;===================================================================================================================================================================================
00139059  Cookie/Traffic Marketplace         TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\10.qit
00139059  Cookie/Traffic Marketplace         TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\14.qit
00139059  Cookie/Traffic Marketplace         TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\15.qit
00139059  Cookie/Traffic Marketplace         TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@trafficmp[1].txt
00139060  Cookie/Casalemedia                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@casalemedia[1].txt
00139061  Cookie/Doubleclick                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\8.qit
00139061  Cookie/Doubleclick                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@doubleclick[2].txt
00139061  Cookie/Doubleclick                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\8.qit
00139061  Cookie/Doubleclick                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\07-03-2008-00-21-09\2.qit
00139061  Cookie/Doubleclick                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-17-36-26\0.qit
00139061  Cookie/Doubleclick                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\6.qit
00139061  Cookie/Doubleclick                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\5.qit
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\4.qit
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\5.qit
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\4.qit
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@atdmt[2].txt
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\5.qit
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\07-03-2008-00-21-09\1.qit
00139535  Application/Processor              HackTools           No        0         Yes            No           C:\Documents and Settings\Mark Neary\Desktop\SmitfraudFix\Process.exe
00145405  Cookie/RealMedia                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\0.qit
00145457  Cookie/FastClick                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\9.qit
00145457  Cookie/FastClick                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\6.qit
00145457  Cookie/FastClick                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@fastclick[1].txt
00145457  Cookie/FastClick                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\7.qit
00145457  Cookie/FastClick                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\9.qit
00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\11.qit
00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@tribalfusion[2].txt
00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\9.qit
00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\16.qit
00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\15.qit
00145738  Cookie/Mediaplex                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\11.qit
00145738  Cookie/Mediaplex                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\11.qit
00145738  Cookie/Mediaplex                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@mediaplex[1].txt
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\1.qit
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@ad.yieldmanager[1].txt
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\07-03-2008-00-21-09\0.qit
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\0.qit
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\0.qit
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\1.qit
00168061  Cookie/Apmebf                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\3.qit
00168061  Cookie/Apmebf                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\3.qit
00168061  Cookie/Apmebf                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@apmebf[1].txt
00168061  Cookie/Apmebf                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\4.qit
00168061  Cookie/Apmebf                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\4.qit
00168076  Cookie/BurstNet                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\6.qit
00168076  Cookie/BurstNet                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\6.qit
00168076  Cookie/BurstNet                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\5.qit
00168076  Cookie/BurstNet                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@burstnet[2].txt
00168097  Cookie/BurstBeacon                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\16.qit
00169190  Cookie/Advertising                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\2.qit
00169190  Cookie/Advertising                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@advertising[2].txt
00169190  Cookie/Advertising                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\2.qit
00169190  Cookie/Advertising                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\3.qit
00169190  Cookie/Advertising                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\3.qit
00170304  Cookie/WebtrendsLive               TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\07-03-2008-00-21-09\3.qit
00170304  Cookie/WebtrendsLive               TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\17.qit
00170495  Cookie/PointRoll                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\8.qit
00170554  Cookie/Overture                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\12.qit
00170554  Cookie/Overture                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@overture[1].txt
00170556  Cookie/RealMedia                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\13.qit
00170556  Cookie/RealMedia                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\14.qit
00171982  Cookie/QuestionMarket              TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\9.qit
00171982  Cookie/QuestionMarket              TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\13.qit
00171982  Cookie/QuestionMarket              TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@questionmarket[2].txt
00172221  Cookie/Zedo                        TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\17.qit
00172221  Cookie/Zedo                        TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Cookies\mark_neary@zedo[1].txt
00172221  Cookie/Zedo                        TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\18.qit
00517584  Application/SuperFast              HackTools           No        0         Yes            No           C:\Documents and Settings\Mark Neary\Desktop\SmitfraudFix\restart.exe
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0080914.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP677\A0081054.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP669\A0075952.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP669\A0076916.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0079929.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081342.EXE
02197130  Trj/Rebooter.J                     Virus/Trojan        No        1         Yes            No           C:\Documents and Settings\Mark Neary\Desktop\SmitfraudFix\Reboot.exe
02885171  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\28-02-2008-22-19-55\19.qit
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0080908.sys
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP669\A0076910.sys
02897594  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\suhgrfqb.dll.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\gvbbmmsd.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081345.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081344.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\ivhsagsw.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081343.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\eemtogwl.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\dvsqyjfv.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\eumfuoxo.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081346.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\nmaflglt.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0079955.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\pojdacuo.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0079954.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\qeyocycp.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0079948.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\serofpnb.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081353.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081348.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0079946.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081350.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\ualfebar.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\uuxwpqne.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\vkulckho.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\wpqjbvfr.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081351.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\ywtlxppy.exe.vir
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081352.exe
02897596  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081347.exe
02897936  W32/Lineage.HJB.worm               Virus/Trojan        No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\mehvbwsy.dll.vir
02898848  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\llebouhl.dll.vir
02898849  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\spqdxpek.dll.vir
02898852  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\kqiunjfo.dll.vir
02898853  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\elydsdny.dll.vir
02899193  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\cigrmgww.dll.vir
02899864  Spyware/Virtumonde                 Spyware             No        1         Yes            No           C:\QooBox\Quarantine\C\WINDOWS\system32\innuuuar.dll.vir
02902098  Spyware/Virtumonde                 Spyware             No      &nb

Corrine

#28
March 14, 2008, 02:24:23 AM
Was that the complete log from Total Scan? 

From what I can see, there is one last file to remove and then cleanup.  What is shown in the Total Scan log is the quarantined files and System Restore points.  At the end, I'll give you instructions on clearing System Restore and creating a fresh restore point.  However, you may have noticed that ComboFix creates a new restore point before each run.  This is a safety feature as an infected restore point is better than none at all. 

We're still left with C:\WINDOWS\LMI38.tmp and remnants of SpywareStop. 

See if you can remove the SpywareStop items in safe mode as you did the other files:

C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine 

Please go to: http://virusscan.jotti.org/

Upload the filepath shown below into the "File to upload & scan" box at the upper left:

C:\WINDOWS\LMI38.tmp

Let us know what Jotti has to say in your reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

trouble

#29
March 14, 2008, 03:07:10 AM
I did run the total scan.  It took about an hour to complete.

I was able to remove the quarantine directory in safe mode, then I ran the ATF cleaner again.

When I went to Jotti and uploaded the file when I submitted it I got the following reply:

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

Should I turn off my mcafee firewall and virus scan for this process?
Print
Go Up Pages 1 2 3 4
User actions